Difference between revisions of "PinePhone Security"

From PINE64
Jump to navigation Jump to search
Line 17: Line 17:
== SSH ==
== SSH ==


An open SSH port is a typical gateway for attackers on any device exposed to the public Internet. Exposed devices might be attacked within minutes after being exposed. Typically such attacks try default passwords such as "12345", potentially putting the user at risk after connecting the phone via unprotected WiFis or mobile Internet.
An open SSH port is a typical gateway for attackers on any device exposed to the public Internet. Exposed devices might be attacked within minutes after being exposed. Typically such attacks try default passwords such as "12345", potentially putting the user at risk after connecting the phone to an open/unsecured access point, activating mobile data or mobile Internet.


For safety reasons it is highly recommended to only use SSH in combination with keys, instead of simple numeric passwords.
For safety reasons it is highly recommended to only use SSH in combination with keys, instead of simple numeric passwords.

Revision as of 17:50, 27 September 2021

This page or section is under construction

Please help to review and edit this page or section. Information are subject to change.

TODO intro

Encryption

While encryption alone is not sufficient to protect sensitive data, it is an important tool to safeguard data in certain attack vectors.

Full-Disk Encryption

Full-disk encryption encrypts the entire disk (except for the boot bits). Currently some OSes such as postmarketOS and Mobian offer an installation image, which have the option to encrypt the entire disk. Some OSes, such as postmarketOS (via pmbootstrap) and Arch Arm also offer an installation script for an fully encrypted installation.

Decryption is done at boot after entering the encryption password via an on-screen keyboard (Osk-sdl).

Encrypted home directory

SSH

An open SSH port is a typical gateway for attackers on any device exposed to the public Internet. Exposed devices might be attacked within minutes after being exposed. Typically such attacks try default passwords such as "12345", potentially putting the user at risk after connecting the phone to an open/unsecured access point, activating mobile data or mobile Internet.

For safety reasons it is highly recommended to only use SSH in combination with keys, instead of simple numeric passwords.

TODO: simply how-to of creating and copying SSH keys + certain SSH settings

Hardening

Hardware

USB

Validation

dm-verity